letsencrypt
Use authoritative source instead of PSL for determining valid TLDs
Today, we use the public suffix list to determine whether a given domain name ends in an ICANN-recognized suffix.
This works well enough, but it's not really what the PSL is intended for. It's intended to list public-like suffixes whose subdomains should be contained in separate security boundaries, i.e. not share cookies. It's not intended to be an authoritative list of all recognized suffixes.
Instead, we should switch to using an authoritative source for this information, to ensure that we get updates about TLD additions and removals as quickly and accurately as possible. Potential sources include:
- the IANA TLD List -- frequently updated, but just a text file listing all TLDs with no metadata
- the ICANN gTLD JSON -- includes lots of metadata, including the removal dates of no-longer-valid gTLDs, but only lists gTLDs (not ccTLDs or other TLDs)
I think that this could be implemented using the same mechanism -- a plain text file checked into the repo, using go:embed to load it in the binary, and a cron github action to update it -- as https://github.com/letsencrypt/boulder/issues/8080